Re: TrustSec SGT Mapping for WLC9800 Clients

MattMH · ‎02-17-2023

What is everyone doing to get SGT tags applied to clients authenticating 8021x via ISE? We recently migrated to WLC9800's, I have gone through the TrustSec config section of the WLC. My WLC's are aware of the SGT's mappings from ISE, but none of my clients are getting assigned any tag. FYI, any client authenticating NOT through the WLC, SGT's are working. Anyway, I worked through the limited documentation there is for using the inline tagging off the flex profile, but that hasn't solved any issues. Just curious for now, how others are getting their wireless clients tagged. My environment is WLC9800 with 1852 AP's in flex mode.

balaji.bandi · ‎02-17-2023

how is your config looks like:

check below guide :

https://www.cisco.com/c/en/us/support/docs/wireless/catalyst-9800-series-wireless-controllers/213945-understand-flexconnect-on-9800-wireless.html

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

MattMH · ‎02-17-2023

Thanks. I followed this document when setting up the WLC. So, our implementation follows this almost exactly. However, none of our clients connecting through the WLC are getting a security group (SGT) assigned to them from ISE. FlexConnect works as expected. This is the document that I found with re to inline tagging. However, still not providing me with a solution nor what I expect to see as far as ISE authentication. Non wireless clients are assigned a security group tag to align with our TrustSec implementation.

Cisco Catalyst 9800 Series Wireless Controller Software Configuration Guide, Cisco IOS XE Gibraltar 16.10.x - Cisco TrustSec [Cisco Catalyst 9800 Series Wireless Controllers] - Cisco

MattMH · ‎02-23-2023

Could this be my issue? The switch that my vWLC is connected to runs NX-OS, which cannot be enabled for CTS/SXP. So when it says to peer with the upstream switch, assuming that has to be aware of the SGT's on your network.